We’re seeing an increasing number of fake emails successfully spoofing official email domains. Watch out for this fake Bitcoin email arriving from ‘Selfridges’.
Cryptocurrency scams are nothing new – we’ve heard plenty about fake investment schemes/platforms in the past and, in this case, you’ll probably find it pretty unlikely that you’ve suddenly been given more than £25,000 worth of Bitcoin.
However, in this example, it’s the sender’s email that’s drawn our attention:
In the past few months we’ve been sent multiple examples of scam emails arriving in people’s inboxes spoofing some of the biggest brands in the country, and this one is no exception.
But how can this be allowed to happen? Chiara Cavaglieri investigates scams and email protection for Which?, she told me:
Most scammers simply use the email ‘display name’ to convince potential victims they are legitimate. But the most dangerous fakes spoof the sender address e.g. so that it appears to come from @yourbank.com.
Companies can protect against this using a standard called DMARC. This stands for ‘domain-based message authentication, reporting and conformance’, and helps your email provider block malicious messages that attempt to spoof the email address of a genuine company. The problem is that too few companies are making use of DMARC, including some banks. This means fraudsters can forge their email addresses with ease.
But that’s only half the story – you also need your email provider to implement DMARC checks. So, even if a company has protected its domain, if your email provider doesn’t make DMARC checks, spoof emails could still land in your inbox.
This particular spoof email was sent to a Microsoft Live Mail user – we’ve noticed that most of the spoof emails reported to Which? are sent to Outlook and Live Mail users so we asked Microsoft if it has had issues with DMARC verification. It told us in May that it is ‘not aware of an increase in spam getting through our filters’ but wouldn’t comment on our question directly.
To play it safe, never assume an email is genuine (even if the sender address looks legitimate). If the message requires action, do it ‘the long way’ e.g. by calling the company on a trusted number (not any phone number included in the email) or typing the website address into your browser (never clicking on links in the email).
We also made Selfridges aware of this email and that its domain is being spoofed. We asked if it would like to add any comment, but it did not respond.
Always question unsolicited emails
Email spoofing might be an old trick, but this is a good reminder to question emails you’re not expecting, especially when they’re promising something for nothing. Some may be more inclined to trust an email that appears to be sent from an official source.
While Selfridges of course wouldn’t send anyone emails promising them Bitcoin riches, it wouldn’t take much to appear more convincing had the content of the email from the spoofed domain been different.
Have you received suspicious-looking Bitcoin emails? Have you had any other emails spoofing the domain of well-known brands? Let us know in the comments.